- Configures Active Directory as its name resolver
- Using sssd and realmd the rhel server joins the AD domain (DNS record, computer account, host SPN created in the AD)
- Using samba, HTTP spn is created in AD and a keytab that contains the HTTP principal
- Foreman is installed with IPA/AD support, SSO is configured
- https://theforeman.org/manuals/1.15/index.html#5.7ExternalAuthentication
- https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/User_Guide/sect-Red_Hat_Satellite-User_Guide-AD_direct.html
- https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/realmd-domain.html
- https://theforeman.org/manuals/1.15/index.html#5.7.3KerberosSingleSign-On
- https://theforeman.org/manuals/1.15/index.html#5.7.5Populateusersandattributes
- The script should be converted to Ansible Playbook
- Because of a bug (bugzilla 1271618) realm join has to run with
--membership-software=samba
yum -y install https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm; \
yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm; \
yum -y install https://yum.theforeman.org/releases/1.15/el7/x86_64/foreman-release.rpm; \
yum -y install foreman-release-scl; \
yum -y install foreman-installer; \
nmcli con mod ens33 ipv4.dns "192.168.227.147,192.168.227.2"; \
nmcli con mod ens33 ipv4.dns-search "test.local"; \
nmcli general hostname foreman1; \
systemctl restart systemd-hostnamed; \
systemctl restart network; \
systemctl stop firewalld; \
systemctl disable firewalld; \
yum -y install gssproxy sssd adcli realmd samba-common-tools ipa-python; \
echo password | realm join -v test.local --membership-software=samba; \
echo '[global]
server = unused
realm = TEST.LOCAL' | tee /etc/ipa/default.conf; \
echo '[global]
workgroup = TEST
realm = TEST.LOCAL
kerberos method = system keytab
security = ads' | tee /etc/net-keytab.conf; \
KRB5_KTNAME=FILE:/etc/gssproxy/http.keytab net ads keytab add HTTP -U Administrator%password -d3 -s /etc/net-keytab.conf; \
chown root:root /etc/gssproxy/http.keytab; \
sed -i '1i includedir /var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf; \
mkdir -p /etc/httpd/conf/; \
touch /etc/httpd/conf/http.keytab; \
foreman-installer --foreman-proxy-dhcp=false --foreman-proxy-tftp=false --foreman-ipa-authentication=true; \
echo '.include /usr/lib/systemd/system/gssproxy.service
[Service]
Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache' | tee /etc/systemd/system/gssproxy.service; \
systemctl daemon-reload; \
systemctl restart gssproxy.service; \
systemctl enable gssproxy.service; \
echo '.include /lib/systemd/system/httpd.service
[Service]
Environment=GSS_USE_PROXY=1' | tee /etc/systemd/system/httpd.service; \
systemctl daemon-reload; \
systemctl restart httpd.service;